My next class:

Dshield Web Honeypot going beta

Published: 2009-06-11. Last Updated: 2009-06-11 17:16:16 UTC
by Jason Lam (Version: 1)
4 comment(s)

We started the Dshield Web Honeypot project roughly one year ago. The goal of this project is to replicate what Dshield had done for the community on the web application side. We are not trying to detect targeted attacks but fast scanning and replicating threats that has potential to affect the whole community quickly.

Similar to the original Dshield project, we rely on volunteers to feed us logs. In the case of web logs, it is not easy to collect detailed log (eg. HTTP header, HTTP body) by using the web server logs alone,  this is why we have a PHP + Apache based client component for volunteer to install as their log collector (or honeypot). We are announcing today that the client software for this project is turning beta. Special thanks to the volunteers on this project

For this project to be successful, we need your support in sending us logs. The honeypot client software can be downloaded from the Dshield portal under My Information (login first).

For the impatient, here are the high level instruction.

The installation start off with downloading and untar'ing the code into a directory. Run the config.php under /lib to configure the client. Then run the update-client.php to ensure you have the latest copy of all the code. This process should be followed by running of the update-template.php, which updates all the web pages in the honeypot. After that, it's a matter of configuring the Apache virtual host (sample config under /docs) and it should be all set.

Once you are submitting web logs, the Dshield main portal page should let you view all the logs you are submitting (1 hr time delay). Let us know how this is working out for you.

-------------------------------------------------
Jason Lam  -  http://twitter.com/jasonlam_sec

4 comment(s)
My next class:

Comments

I was looking into this but the documentation on getting this up and running was VERY sparse. I'll have to check to see if there were any documentation updates.
OK, I mis-spoke...just saw your 2nd-from-the-bottom paragraph. I'll give it a spin soon.
I have created a DShield ID and logged in, but can not find a "My Information" page. I found "MY DSHIELD", but did't find anything on it about downloading the client software.
I got it going on OpenBSD tonight in a chroot environment. Had to do a few tweaks...

my mod_rewrite rule is:

RewriteRule !^(index\.php)(.*) index.php/$1

the permissions on the logs directory in the instruction didn't work i had to give execute permissions to apache so it can get in that folder to write logs.

had to write a small shell wrapper to run the update-client.php script within the chroot environment. Had to bring all the php-cli deps in the chroot as well as creating a resolv.conf so that isc.sans.org can be resolved.

i don't like that $sBaseDir is getting overwritten with each update.. ill tweak my update script to reset it to my value. would be nice if it would be a file sitting next to the index for include and wouldn't get overwritten with updates..


Diary Archives